From 686be7e8f788bfecdd947f5ca049b9bbd0522583 Mon Sep 17 00:00:00 2001
From: BT <fsociety.mp4@pm.me>
Date: Mon, 4 May 2026 00:36:00 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20**Nostr=20Login:**=20Prevented=20se?=
 =?UTF-8?q?ssion=20race=20conditions=20during=20login=20flow.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 🛡️ Added `nostrLoginInProgress` flag to pause `wire:poll` during Nostr login round-trip.
- 🔄 Removed redundant `Session::regenerate()` to avoid session ID conflicts.
- 🪲 Improved error handling for signature serialization and Nostr signer unavailability.
---
 resources/js/nostrLogin.js                    | 98 ++++++++++++-------
 resources/views/livewire/auth/login.blade.php | 12 ++-
 2 files changed, 71 insertions(+), 39 deletions(-)

diff --git a/resources/js/nostrLogin.js b/resources/js/nostrLogin.js
index 88d7563..7b6c15d 100644
--- a/resources/js/nostrLogin.js
+++ b/resources/js/nostrLogin.js
@@ -5,6 +5,11 @@ export default () => ({
     startTime: null,
     pollCount: 0,
     MAX_POLL_COUNT: 30,
+    // Toggled while window.nostr.signEvent is awaiting the wallet so we can
+    // pause wire:poll, preventing it from racing with auth()->login()'s
+    // session-id migration (which would otherwise yield a 419 on the next
+    // round-trip).
+    nostrLoginInProgress: false,
 
     async init() {
         this.startTime = Date.now();
@@ -42,47 +47,66 @@ export default () => ({
     },
 
     async openNostrLogin() {
-        const challenge = await this.resolveChallenge();
+        // Flip the flag immediately so the wire:poll <template x-if> in the
+        // blade unmounts the polling element before we kick off any async
+        // work. Stays true through the dispatch so the subsequent
+        // auth()->login() round-trip is the only request in flight.
+        this.nostrLoginInProgress = true;
 
-        if (!challenge) {
-            this.showAuthError('Login challenge missing. Please reload and try again.');
-            return;
-        }
-
-        if (!window.nostr || typeof window.nostr.signEvent !== 'function') {
-            this.showAuthError('No Nostr signer found. Please install a Nostr browser extension.');
-            return;
-        }
-
-        const event = {
-            kind: 22242,
-            created_at: Math.floor(Date.now() / 1000),
-            tags: [['challenge', challenge]],
-            content: '',
-        };
-
-        let signedEvent;
         try {
-            signedEvent = await window.nostr.signEvent(event);
-        } catch (error) {
-            console.error('Nostr signEvent failed:', error);
-            this.showAuthError('Could not sign Nostr login event. Please try again.');
-            return;
-        }
+            const challenge = await this.resolveChallenge();
 
-        // Some Nostr extensions return objects wrapped in extension-specific
-        // proxies (e.g. cloneInto results) that Livewire cannot serialize.
-        // Round-trip through JSON to guarantee a plain, cloneable object.
-        let plainSignedEvent;
-        try {
-            plainSignedEvent = JSON.parse(JSON.stringify(signedEvent));
-        } catch (error) {
-            console.error('Nostr signedEvent serialization failed:', error);
-            this.showAuthError('Wallet returned an incompatible signature. Please try a different wallet.');
-            return;
-        }
+            if (!challenge) {
+                this.showAuthError('Login challenge missing. Please reload and try again.');
+                this.nostrLoginInProgress = false;
+                return;
+            }
 
-        this.$dispatch('nostrLoggedIn', {signedEvent: plainSignedEvent});
+            if (!window.nostr || typeof window.nostr.signEvent !== 'function') {
+                this.showAuthError('No Nostr signer found. Please install a Nostr browser extension.');
+                this.nostrLoginInProgress = false;
+                return;
+            }
+
+            const event = {
+                kind: 22242,
+                created_at: Math.floor(Date.now() / 1000),
+                tags: [['challenge', challenge]],
+                content: '',
+            };
+
+            let signedEvent;
+            try {
+                signedEvent = await window.nostr.signEvent(event);
+            } catch (error) {
+                console.error('Nostr signEvent failed:', error);
+                this.showAuthError('Could not sign Nostr login event. Please try again.');
+                this.nostrLoginInProgress = false;
+                return;
+            }
+
+            // Some Nostr extensions return objects wrapped in extension-specific
+            // proxies (e.g. cloneInto results) that Livewire cannot serialize.
+            // Round-trip through JSON to guarantee a plain, cloneable object.
+            let plainSignedEvent;
+            try {
+                plainSignedEvent = JSON.parse(JSON.stringify(signedEvent));
+            } catch (error) {
+                console.error('Nostr signedEvent serialization failed:', error);
+                this.showAuthError('Wallet returned an incompatible signature. Please try a different wallet.');
+                this.nostrLoginInProgress = false;
+                return;
+            }
+
+            // Leave nostrLoginInProgress = true: the loginListener will issue
+            // a redirect; resetting the flag here would re-mount wire:poll and
+            // race the redirect.
+            this.$dispatch('nostrLoggedIn', {signedEvent: plainSignedEvent});
+        } catch (error) {
+            console.error('openNostrLogin unexpected error:', error);
+            this.showAuthError('Authentication failed. Please try again.');
+            this.nostrLoginInProgress = false;
+        }
     },
 
     initErrorPolling() {
diff --git a/resources/views/livewire/auth/login.blade.php b/resources/views/livewire/auth/login.blade.php
index 2a58829..371381e 100644
--- a/resources/views/livewire/auth/login.blade.php
+++ b/resources/views/livewire/auth/login.blade.php
@@ -291,8 +291,10 @@ class extends Component {
 
         if ($loginKey) {
             $user = User::find($loginKey->user_id);
+            // auth()->login() already migrates the session id (rotates cookie).
+            // An additional Session::regenerate() races with the in-flight
+            // wire:poll request and produces 419s on the next round-trip.
             auth()->login($user);
-            Session::regenerate();
             session([
                 'lang_country' => $this->currentLangCountry,
             ]);
@@ -424,5 +426,11 @@ class extends Component {
         </div>
     </div>
 
-    <div wire:poll.4s="checkAuth" wire:key="checkAuth"></div>
+    {{-- Pause Livewire polling while a Nostr signature round-trip is in
+         flight. Otherwise wire:poll can fire a parallel /livewire/update
+         request that races with auth()->login()'s session migration and
+         lands on an invalidated session id, producing 419 TokenMismatch. --}}
+    <template x-if="!nostrLoginInProgress">
+        <div wire:poll.4s="checkAuth" wire:key="checkAuth"></div>
+    </template>
 </div>